U.S. Senator, Jerry Moran, announced, on 12 March 2020, that he had introduced a bill (SB 3.456) (‘the Bill’) for the Consumer Data Privacy and Security Act of 2020 and released a summary (‘the Summary’) on the same. The Bill aims to establish a clear federal standard for data privacy protection, giving businesses a uniform standard rather than a patchwork of state laws, as it would expressly pre-empt any provision of a law, rule, regulation, or other requirement of any state or locality to the extent that such provision relates to the privacy or security of personal data.
Scope of application
The Bill would apply to any business or non-profit that collects the consumer data of more than 20,000,000 individuals or the sensitive data of more than 1,000,000 individuals and are not already covered by regulations that protect the privacy of healthcare and banking information. Moreover, the Bill creates a clear delineation in obligation between covered entities as defined above, third parties, and service providers, specifically in relation to notice requirements to be given to individuals prior to the processing of their personal data. The Bill also mandates notice and consent requirements for different or additional collection or processing and obliges third parties to exercise due diligence when relying on representations from a covered entity.
Obligations of covered entities
In addition, the Bill includes provisions obliging covered entities to, among others:
- provide publicly available privacy policies;
- use affirmative consent in the access, rectification, correction, and erasure of a data subject’s personal data; and
- conduct privacy impact assessments before beginning a new collection or processing activity or making material changes in its processing of personal data.
According to Moran, one of the main purposes of the Bill is to provide consumers with more control over their own data and increase the accountability mechanism for businesses that collect and process a significant amount of personal data. The Bill also contains specific rules for service providers and covered entities who enter into contractual agreement with such service providers including ensuring adequate safeguards and procedures are put in place to protect the privacy and security of personal data and investigating circumstances where there is a risk of non-compliance to aforementioned obligations.
Furthermore, the Bill would mandate the Federal Trade Commission (‘FTC’) to appoint at least 440 new workers to oversee privacy and security. Although there is no private right of action included in the Bill, it does include provisions allowing the FTC to take enforcement actions against violators and state attorney generals will be able to bring civil actions on behalf of other state’s citizens in lieu of personal lawsuits. Finally, under the Bill the FTC will be given increased oversight in relation to monitoring compliance with its provisions.
The Bill has been referred to the U.S. Senate Commerce, Science, and Transportation Committee for consideration.
Edidiong Udoh Privacy Analyst